RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens. The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman - one of them confirmed by the company, others hinted at by internal warnings and unusual domain name and password reset process.

In the end you just write it down on a piece of paper next to the PC just to remember the stuff. Bye security!

Obviously, you're referring to something different - that is not how RSA's SecurID works. There's nothing you can write down, the key value shown on the display changes 30 seconds or so, and this is synchronized with a server-side key value that also changes at the same time.

That is PRECISELY why these keys exist, so that users must have them in their possession to be authenticated. That's the generally-accepted definition of two-factor: authentication by something you know + something you have.

Edit: Re-reading your post, I think I understand why you don't get it... you keep trying to write down the key and re-use it again? um... no.

"That is PRECISELY why these keys exist, so that users must have them in their possession to be authenticated.

Well, that's the theory, at least. But it somewhat falls down if someone manages to get hold of the random seeds that the hardware keys work off, as the article suggests has happened... "

Yup, good thing those people should *also* have a strong password that must be brute-forced -- and if they used public/private key challenge/response in combination with the securid tokens, that could be a pretty big hurdle to overcome for someone who was only able to compromise one of the two methods.

In theory, with two-factor authentication, you can more easily identify when one of the two mechanisms has been compromised before the other one can be brute-forced.

Anyhow, I don't care all that much - RSA isn't one of my favorite "security" companies.